We all know about the impact of Edward Snowden’s decision to leak information about the NSA PRISM program. This has had a huge political impact in the USA, the UK and many other countries around the world.

The reactions to these leaks have been quite polarized, with some people condemning the leaks and others being just as ardent in their condemnation of the PRISM program. I don’t usually write about political events in this blog, and I certainly don’t intend to comment on which of these responses I think is correct, but I do think there are some important lessons for IT people to learn from what happened.

When I think about what happened, I think about how my customers use big data to create value, and how this overlaps with their privacy policies.

Every IT organization using big data needs to think about privacy issues, and what might happen if the press published articles about what they are doing. Ideally you should feel so confident that you would encourage the press to publish articles about your big data solution, because this would be good publicity that increases your reputation. If you would be worried about the consequences of press articles then maybe you need to review your privacy policy and make sure that you are doing the right thing by your shareholders, your customers and your employees.

If you want to be confident about privacy and big data then you need to follow these steps:

Create a privacy policy. This should be agreed by executive management as part of your corporate governance. It should be clear, unambiguous and easy for everyone to understand. Depending on your industry, and the countries you operate in, you will have to comply with privacy laws and regulations. It is essential that your privacy policy supports these, but simple compliance may not be sufficient. Think about how all your stakeholders would feel about your policy and make sure that you get the balance right.

Communicate the policy. The privacy policy should be communicated throughout your organization. You need to ensure that everyone understands their obligations and buys in to them. This is not just a matter of sending an email to all staff; it requires Management of Change (MoC) to ensure that staff really do take on board their obligations for privacy.

Include privacy requirements in new and changed services. Ensure that privacy considerations are included in the requirements for every project for new or changed IT services. This should be mandated by the tools and processes you use for defining requirements.

Implement privacy tools and technical solutions. You will almost certainly need a range of technical solutions and tools to ensure that your big data solution implements and complies with the requirements of your privacy policy. This can include a combination of field masking, data encryption, role based access controls and many other approaches.

If you get this right then you can feel confident that articles in the press will be good for your organization, and that privacy whistleblowers won’t be a threat to your business.

Thorough my career I’ve had the opportunity to work with several financial/securities firms and the general rule of thumb there was “it’s never good to be a cover story on the Wall Street Journal”. My concern is that we can take the Snowden incident and focus all of our attention on issues like: “How do we create compliant policies?” (Like those ever-so-useful EULAs that do more to confuse than clarify) and “How do we improve security so that information we want to keep private information private?

These are certainly important question, but as they used to say in math class; these are necessary, but not sufficient. This is an opportunity to also ask “What would happen if our customers really knew the details of your organization’s business practices?” I’m not talking about divulging trade secrets, but what if they really understood the policies to delay accounts payable, accelerate receivables, automatically renew, and misrepresent the value of (financial meltdown anyone?).

Bottom line: how would ALL of your business practices look in the light of day?

Thank you for that response. You are of course correct. Privacy policy is a governance issue and it is the responsibility of executives to define these things based on how they want the company to be run.

Stuart - you are right in what you say and companies need to be aware of how they secure their critical business information. Your approach of defining security/privacy policies, communicating them, embedding them into the project implementation lifecycle and then auditing effectiveness and efficiency as part of live services makes common sense.

The challenge, as you hint at, is how you change the culture of the organisation so EVERYONE recognises they are responsible for the security of the organisations information.

In many ways I see this in the same way as the Seat Belt arguement from several years ago where people had to be persuaded to wear a seat belt for their own and others safety. Nowadays we do this automatically even if we started driving without seat belts and many people have never known anything else apart from automatically belting up.

In the same way as the Government has changed our view on seatbelts over the years organisations need to treat information security as a Business Change activity so they embed responsibility into everyone's working day.

Thank you for your comment. I think you have correctly identified the most difficult, and most critical, step that organizations need to take.

Many of the difficult things in IT, security and ITSM come down to attitudes, behaviour, culture and management of organizational change. I suspect it is because so many IT people come from a technical background, so think that fixing the technology issues will make everything alright.